Search squid archive

Re: Re: Keytab client not found in kerberos database

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I really appreciate your support Markus. Thanks
 
Regards,
Sarfraz


----- Original Message -----
From: Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>
To: squid-users@xxxxxxxxxxxxxxx
Cc: 
Sent: Friday, January 3, 2014 7:03 PM
Subject:  Re: Keytab client not found in kerberos database

Hi Sarfraz,

  I suggest you re-create the keytab as mentioned on the wiki for a 2008 AD 
server ( i.e.  use --enctypes 28 with msktutil )

Markus

"***some text missing***"  wrote in message 
news:1388756850.35698.YahooMailNeo@xxxxxxxxxxxxxxxxxxxxxxxxxxxx... 


here is the helper lines

external_acl_type squid_kerb_ldap_msgroup1 ttl=3600  negative_ttl=3600 
%LOGIN /usr/libexec/squid/squid_kerb_ldap -g INETGRP1@xxxxxxxxxxxxxxxxxxxxx
external_acl_type squid_kerb_ldap_msgroup3 ttl=3600  negative_ttl=3600 
%LOGIN /usr/libexec/squid/squid_kerb_ldap -g INETGRP3@xxxxxxxxxxxxxxxxxxxxx

Below entry exists in AD
userprincipalname=HTTP/squidkhi1.mailserver.mcb.com.pk

"klist -ekt"

[root@squidkhi1 ~]# klist -ekt /etc/squid/HTTP.keytab
Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO Timestamp        Principal
---- ----------------- --------------------------------------------------------
  2 10/26/10 17:44:45 
HTTP/squidkhi1.mailserver.mcb.com.pk@xxxxxxxxxxxxxxxxxxxxx (DES cbc mode 
with CRC-32)
  2 10/26/10 17:44:45 
HTTP/squidkhi1.mailserver.mcb.com.pk@xxxxxxxxxxxxxxxxxxxxx (DES cbc mode 
with RSA-MD5)
  2 10/26/10 17:44:45 
HTTP/squidkhi1.mailserver.mcb.com.pk@xxxxxxxxxxxxxxxxxxxxx (ArcFour with 
HMAC/md5)


Regards,
Sarfraz Aslam

----- Original Message -----
From: Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>
To: squid-users@xxxxxxxxxxxxxxx
Cc:
Sent: Friday, January 3, 2014 6:31 PM
Subject:  Re: Keytab client not found in kerberos database

Hi Sarfraz,

    You didn't say which helper you are running and with which options. The
message you get should have nothing to do with authentication but with
authorisation (if you use kerberos_ldap_group).  You may get a similar
message on the Windows client as part of the Kerberos exchange in the TGS
reply.

  Can you do an AD search for an entry with
userprincipalname=HTTP/squidkhi1.mailserver.mcb.com.pk ?

  What encryption types you get when running klist -ekt <squid.keytab> ?
2008 may require AES ( If you check the wiki
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberosyouwill
see how to create a keytab for 2008 )

Regards
Markus

"***some text missing***"  wrote in message
news:1388753727.91771.YahooMailNeo@xxxxxxxxxxxxxxxxxxxxxxxxxxxx...


Hello Markus,

Thank you for your reply. As suggest below are result of klist -kt.

Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO Timestamp        Principal
---- ----------------- --------------------------------------------------------
  2 10/26/10 17:44:45
HTTP/squidkhi1.mailserver.mcb.com.pk@xxxxxxxxxxxxxxxxxxxxx
  2 10/26/10 17:44:45
HTTP/squidkhi1.mailserver.mcb.com.pk@xxxxxxxxxxxxxxxxxxxxx
  2 10/26/10 17:44:45
HTTP/squidkhi1.mailserver.mcb.com.pk@xxxxxxxxxxxxxxxxxxxxx

one thing to be add, may be it helps!! i am facing this problem after
raising Forest and Domain functional level to 2008, before this user
authentication was working fine.

Regards,
Sarfraz



----- Original Message -----
From: Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>
To: squid-users@xxxxxxxxxxxxxxx
Cc:
Sent: Friday, January 3, 2014 5:35 PM
Subject:  Re: Keytab client not found in kerberos database

Hi Sarfraz,

  Which helpers do you run ?  The message you see is most probably from the
kerberos_ldap_group helper and means that when the helper tries to
authenticate to AD the AD entry with an attribute
userprincipalname=HTTP/<squid-fqdn> can not be found.

squid-fqdn  being the name you have in your squid keytab ( You can check
with klist -kt <squid.keytab> if you use MIT or ktutil -k  <squid.keytab>
list for Heimdal).

Markus


"***some text missing***"  wrote in message
news:1388733659.571.YahooMailNeo@xxxxxxxxxxxxxxxxxxxxxxxxxxxx...


Hi,

Today i am having error in squid cache.log "error while initialising
credentials from keytab client not found in kerberos database squid".. My
clients that are authenticating through Active Directory fails to browse
internet on other hand IP Based access is working fine. Please help to
resolve this error. Thanks.


Regards,
Sarfraz 





[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux